Support allowed_permissions in ExtensionSettings enterprise policy
Categories
(Firefox :: Enterprise Policies, enhancement)
Tracking
()
People
(Reporter: mkaply, Assigned: mkaply)
Details
Attachments
(2 files)
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-beta+
|
Details | Review |
Follow-up to bug 1904061, which added blocked_permissions.
Chrome's ExtensionSettings policy also supports allowed_permissions, which
acts as an explicit override of blocked_permissions. Though not documented
at https://support.google.com/chrome/a/answer/9867568, it's present in the
Chromium source:
- https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/extensions/extension_management_test_util.h;l=93
- https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/extensions/extension_management_internal.cc;l=123-156
And in the (more recent) "Managing Extensions in Your Enterprise - 2025 update"
Google doc.
Manual verification: if blocked_permissions and allowed_permissions both
include the same entry, allowed_permissions wins.
Scope:
- Add
allowed_permissionsto both"*"and per-id entries in
browser/components/enterprisepolicies/schemas/policies-schema.json. - In
EnterprisePoliciesParent.sys.mjsmayInstallAddon, apply
allowed_permissionsas an override before evaluating
blocked_permissions. - In
toolkit/components/extensions/parent/ext-permissions.js, same override
in thepermissions.requestcheck. - In
toolkit/mozapps/extensions/content/aboutaddons.js, don't lock the
optional-permission toggle for permissions present inallowed_permissions. - Strip
internal:-prefixed entries insetExtensionSettings(same as
blocked_permissions). - xpcshell + mochitest-browser coverage mirroring bug 1904061's tests.
| Assignee | ||
Comment 1•14 days ago
|
||
allowed_permissions un-blocks blocked_permissions with one consistent model on
both the install path (mayInstallAddon) and the optional-permission path
(permissions.request and the about:addons toggles): a per-id entry replaces ""
entirely, and a per-id allowed_permissions un-blocks its own
blocked_permissions. ""-level allowed_permissions is inert. To un-block a
permission for an extension, list both blocked_permissions and
allowed_permissions in that extension's per-id entry.
The effective blocked list is resolved once in getExtensionSettings, which
mayInstallAddon and the optional-permission consumers all read.
allowed_permissions is sanitized with the same permission-name regex as
blocked_permissions.
Updated•14 days ago
|
Comment 3•7 days ago
|
||
| bugherder | ||
Comment 4•21 hours ago
|
||
firefox-beta Uplift Approval Request
- User impact if declined/Reason for urgency: Policy related. Want for 153 ESR.
- Code covered by automated testing?: yes
- Fix verified in Nightly?: yes
- Needs manual QE testing?: no
- Steps to reproduce for manual QE testing:
- Risk associated with taking this patch: low
- Explanation of risk level: Policy only change
- String changes made/needed?: None
- Is Android affected?: no
| Assignee | ||
Comment 5•21 hours ago
|
||
allowed_permissions un-blocks blocked_permissions with one consistent model on
both the install path (mayInstallAddon) and the optional-permission path
(permissions.request and the about:addons toggles): a per-id entry replaces ""
entirely, and a per-id allowed_permissions un-blocks its own
blocked_permissions. ""-level allowed_permissions is inert. To un-block a
permission for an extension, list both blocked_permissions and
allowed_permissions in that extension's per-id entry.
The effective blocked list is resolved once in getExtensionSettings, which
mayInstallAddon and the optional-permission consumers all read.
Original Revision: https://phabricator.services.mozilla.com/D307408
Updated•7 hours ago
|
Updated•7 hours ago
|
Description
•